UK Honeynet Project 

The Honeynet Project published it’s annual status report today, which includes a round up the R&D activity undertaken by members during the previous year. Details of some UK Honeynet Project are also included.

The New Zealand Honeynet Project have been busy with version two of their Capture-HPC client honeypot application, which we use internally for crawling and analysis of suspect URLs. Some of the new features include:

* support for any client application that is http protocol aware (for example, Microsoft Excel)

* ability to automatically collect malware

* ability to automatically collect network traffic on the client

* ability to push exclusion lists from the Capture Server to the Capture Client

* improved control of Internet Explorer: obtain HTML error codes; specify visitation delay after page has been retrieved; retry visitation of URLs in case of time outs or network errors)

* support for plug-in architecture, that allows to create fine grained control of clients (for example, as provided for Internet Explorer), but also allows for integration of client applications that require complex interactions to retrieve content from the web ( e.g. Safari is such an application. It doesn’t allow retrieval of web content by passing the URL as a parameter)

Highly recommended if you are interested in research in this area, as it is very actively maintained and has been effective in our experience.

Lance Spitzner was one of the keynote speakers at Hack-In-The-Box 2007 in Malaysia this week, and talked about some of the research we have been involved in recently (including the Honeynet Project’s Global Distributed Honeynet initiative – GDH, which David led). More details can be found at the conference web site.

I’ve wanted to post this graph for a while but only just got round to anonymising the data.

Looking at piles of IRC logs can be very unilluminating, but it’s not obvious what to do with all the data. One nice way of getting a handle on links between channels is to plot channels with links between them weighted by the number of users in common.

The example above is from a honeynet we ran in 2004/5. The graph shows up a couple of things nicely:

1) There are two distinct groups of channels, and a look at the data shows that there two groups correspond to channels in different languages and,
2) The strong links between a couple of channels in the main group show up that these channels are related and looking at the data shows them to be used for discussing hacking, while the other channels are innocuous.

The original channel names have been replaced by ‘cN’ to protect the guilty.

There’s an interesting Google Tech Talk by Ross Anderson on ‘Searching for Evil’ about his work on looking at how “evildoers” network and the implications this has.

http://video.google.com/videoplay?docid=-1380463341028815296

Members of the UK Honeynet Project and Honeynet Project were again attendees at the 3rd Internet Security Operations and Intelligence workshop in Washington DC this week, which provided an another excellent opportunity to catch up with other researchers and discuss the latest online threats. Press coverage.

Long time Honeynet Project members Niels Provos and Thorsten Holz’s book “Virtual Honeypots: From Botnet Tracking to Intrusion Detection” was released in the US last month but has only just become available here in the UK recently. It has picked up a number of good reviews, and we highly recommended it for a good background on honeynet technologies and their uses.

The Honeynet Project has released a new Know Your Enemy white paper on malicious websites and attacks against web browsers: “In this paper, we take an in-depth look at malicious web servers that attack web browsers, and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks. All the malicious web servers identified in this study were found with our client honeypot Capture-HPC”. This paper contains lots of interesting web attack related material.

http://www.honeynet.org/papers/mws/